FuSa 8-Bit Libraries Safety Framework
Loading...
Searching...
No Matches
Watchdog Manager
Middleware_layer

Contains API prototypes for the Watchdog Manager. More...

Files

file  midware_watchdog_manager.c
 Implements APIs for the Watchdog Manager.
file  midware_watchdog_manager_asm.h
 Contains assembly API for the Watchdog Manager.
file  midware_watchdog_manager_diag.c
 Implements APIs for the Watchdog Manager diagnostics.
file  midware_watchdog_manager_diag.h
 Contains API prototypes for the Watchdog Manager diagnostics.

Macros

#define UINT24_MAX   0x00FFFFFFUL
 Defines max value for 24-bit registers.
#define UINT24_MAX   0x00FFFFFFUL
 Defines max value for 24-bit registers.

Enumerations

enum  wdtTimeout_t {
  WDT_TIMEOUT_OFF = 0U , WDT_TIMEOUT_CLK8 , WDT_TIMEOUT_CLK16 , WDT_TIMEOUT_CLK32 ,
  WDT_TIMEOUT_CLK64 , WDT_TIMEOUT_CLK128 , WDT_TIMEOUT_CLK256 , WDT_TIMEOUT_CLK512 ,
  WDT_TIMEOUT_CLK1K , WDT_TIMEOUT_CLK2K , WDT_TIMEOUT_CLK4K , WDT_TIMEOUT_CLK8K ,
  WDT_TIMEOUT_MAX
}
 Defines available timeout configurations for the Watchdog Timer. More...

Functions

errFlag_t MW_GetSwdtPreclearError (void)
 Reads the error flag indicating a non-preclear command received while expecting a preclear command in the Synchronous Watchdog.
errFlag_t MW_GetSwdtClearError (void)
 Reads the error flag indicating a non-clear command received while expecting a clear command in the Synchronous Watchdog.
errFlag_t MW_GetSwdtUnexpectedCmdError (void)
 Reads the error flag indicating a clear command received in the closed window after a preclear command in the Synchronous Watchdog.
errFlag_t MW_GetSwdtCounterExpiredError (void)
 Reads the error flag indicating that the Synchronous Watchdog counter expired.
void MW_ClearSwdtErrors (void)
 Clears all the error flags in the Synchronous Watchdog.
void MW_PreClearSwdt (void)
 Sends a PRECLEAR command to the Synchronous Watchdog.
void MW_ClearSwdt (void)
 Sends a CLEAR command to the Synchronous Watchdog.
errFlag_t MW_SetSwdtResetValue (uint32_t resetVal)
 Sets the Synchronous Watchdog Timer countdown reset value.
errFlag_t MW_SetSwdtWindowValue (uint16_t window)
 Sets the Synchronous Watchdog Timer open window value.
void MW_EnableSwdtInterrupts (void)
 Enables all Synchronous Watchdog error interrupts.
void MW_EnableSwdt (bool useCcp, bool useLock, bool useInstrMode)
 Enables the Synchronous Watchdog Timer with the provided configurations.
void MW_ClearWdt (void)
 Clears the Watchdog Timer by issuing a Watchdog Reset (WDR) instruction.
errFlag_t MW_SetWdtTimeout (wdtTimeout_t window, wdtTimeout_t period)
 Configures and enables the Watchdog Timer in either Normal or Window mode.
void ASM_IssueWdrInstruction (void)
 Issues a Watchdog Reset instruction (WDR) to clear the WDT using assembly.
errFlag_t MW_DiagSwdtCount (void)
 Performs diagnostic to detect faults in the Synchronous Watchdog Timer (SWDT) Counter mechanism.
errFlag_t MW_DiagSwdtExpire (uint32_t newReset)
 Performs error injection diagnostic to detect faults in the Synchronous Watchdog Timer (SWDT) Expire mechanism.
void MW_DiagWdtCountBegin (void)
 Begins diagnostic to detect faults in the Watchdog Timer (WDT) Counter mechanism.
bool MW_IsDiagWdtCountOngoing (void)
 Checks whether the Watchdog Timer (WDT) Count diagnostic is ongoing.
errFlag_t MW_DiagWdtCountEnd (void)
 Completes diagnostic to detect faults in the Watchdog Timer (WDT) Counter mechanism.
errFlag_t MW_DiagWdtExpire (void)
 Performs error injection diagnostic to detect faults in the Watchdog Timer (WDT) Expire mechanism.

Detailed Description

Contains API prototypes for the Watchdog Manager.

Version
1.0.0-alpha.1

The Watchdog Manager provides services to Tasks to ensure correct interaction with features of the WDT and SWDT peripherals.

Copyright
© 2025 Microchip Technology Inc. and its subsidiaries.

Subject to your compliance with these terms, you may use Microchip software and any derivatives exclusively with Microchip products. It is your responsibility to comply with third party license terms applicable to your use of third party software (including open source software) that may accompany Microchip software.

THIS SOFTWARE IS SUPPLIED BY MICROCHIP "AS IS". NO WARRANTIES, WHETHER EXPRESS, IMPLIED OR STATUTORY, APPLY TO THIS SOFTWARE, INCLUDING ANY IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY, AND FITNESS FOR A PARTICULAR PURPOSE.

IN NO EVENT WILL MICROCHIP BE LIABLE FOR ANY INDIRECT, SPECIAL, PUNITIVE, INCIDENTAL OR CONSEQUENTIAL LOSS, DAMAGE, COST OR EXPENSE OF ANY KIND WHATSOEVER RELATED TO THE SOFTWARE, HOWEVER CAUSED, EVEN IF MICROCHIP HAS BEEN ADVISED OF THE POSSIBILITY OR THE DAMAGES ARE FORESEEABLE. TO THE FULLEST EXTENT ALLOWED BY LAW, MICROCHIP'S TOTAL LIABILITY ON ALL CLAIMS IN ANY WAY RELATED TO THIS SOFTWARE WILL NOT EXCEED THE AMOUNT OF FEES, IF ANY, THAT YOU HAVE PAID DIRECTLY TO MICROCHIP FOR THIS SOFTWARE.

UML Class Diagrams

UML Activity Diagrams

Enumeration Type Documentation

◆ wdtTimeout_t

enum wdtTimeout_t

Defines available timeout configurations for the Watchdog Timer.

Note
The WDT clock source frequency variation should be accounted for when configuring the WDT timeout.
Enumerator
WDT_TIMEOUT_OFF 

Off

WDT_TIMEOUT_CLK8 

8 WDT clock cycles

WDT_TIMEOUT_CLK16 

16 WDT clock cycles

WDT_TIMEOUT_CLK32 

32 WDT clock cycles

WDT_TIMEOUT_CLK64 

64 WDT clock cycles

WDT_TIMEOUT_CLK128 

128 WDT clock cycles

WDT_TIMEOUT_CLK256 

256 WDT clock cycles

WDT_TIMEOUT_CLK512 

512 WDT clock cycles

WDT_TIMEOUT_CLK1K 

1024 WDT clock cycles

WDT_TIMEOUT_CLK2K 

2048 WDT clock cycles

WDT_TIMEOUT_CLK4K 

4096 WDT clock cycles

WDT_TIMEOUT_CLK8K 

8192 WDT clock cycles

WDT_TIMEOUT_MAX 

Reserved/invalid, indicates highest enum value

Definition at line 43 of file midware_watchdog_manager.h.

Function Documentation

◆ MW_ClearSwdt()

void MW_ClearSwdt ( void )

Sends a CLEAR command to the Synchronous Watchdog.

Note
A CLEAR command must be sent after a PRECLEAR for it to have any effect and avoid a bad clear error to be reported.
Warning
The function will busy wait until the CLEAR command can be received, as indicated by the CLEAR bit in the INTFLAGS register. It is assumed that the Synchronous Watchdog is in the open window, and the PRECLEAR command was sent first. Otherwise, a hardware error is reported.

Definition at line 119 of file midware_watchdog_manager.c.

◆ MW_ClearSwdtErrors()

void MW_ClearSwdtErrors ( void )

Clears all the error flags in the Synchronous Watchdog.

This function clears all Synchronous Watchdog interrupt flags. Use MW_GetSwdtPreclearError, MW_GetSwdtClearError, MW_GetSwdtUnexpectedCmdError and MW_GetSwdtCounterExpiredError to read the error flags before they are cleared simultaneously in this function.

Definition at line 104 of file midware_watchdog_manager.c.

◆ MW_DiagSwdtCount()

errFlag_t MW_DiagSwdtCount ( void )

Performs diagnostic to detect faults in the Synchronous Watchdog Timer (SWDT) Counter mechanism.

This function reads and compares two samples of the SWDT counter. If the sampled counter values are different, the counter is counting and the diagnostic returns no error.

Note
This diagnostic will not necessarily detect stuck bits in the register, just whether the least significant byte of the counter register is updated as expected.
Return values
ERRORFault detected in SWDT count functionality.
NO_ERRORNo fault detected in SWDT count functionality.

Definition at line 57 of file midware_watchdog_manager_diag.c.

◆ MW_DiagSwdtExpire()

errFlag_t MW_DiagSwdtExpire ( uint32_t newReset)

Performs error injection diagnostic to detect faults in the Synchronous Watchdog Timer (SWDT) Expire mechanism.

This function performs a diagnostic of the SWDT Expire mechanism by starting an error injection and observing the response. The error injection makes the countdown skip to zero, which normally triggers the expire error mechanism. If an expire error is reported, the diagnostic returns no error.

Warning
After completing the diagnostic, the SWDT will remain enabled even if it was previously disabled and begins a countdown from the specified 24-bit new reset value right after the injection. If the SWDT is already enabled, the new reset can be set to the current SWDT count when calling the diagnostic, minus a small delta that accounts for the time until the new reset is loaded, effectively restoring the count value and minimizing the impact of the error injection.
Note
Error injection will not be initiated if an invalid new reset value is used.
Error injection will not be initiated if the Error Controller is not in NORMAL state or the SWDT error channel is already set.
This function disables global interrupts during its execution to ensure atomic execution and that accidental interrupts are not triggered by initiating the error injection.
Parameters
newResetThe 24-bit reset value to be loaded after completing the error injection.
Return values
ERRORFault detected in the SWDT expire mechanism, or error injection did not start.
NO_ERRORNo fault detected in the SWDT expire mechanism.

Definition at line 78 of file midware_watchdog_manager_diag.c.

◆ MW_DiagWdtCountBegin()

void MW_DiagWdtCountBegin ( void )

Begins diagnostic to detect faults in the Watchdog Timer (WDT) Counter mechanism.

This function reads and stores the current counter register value of the WDT for later comparison. If the counter register value has not changed when calling MW_DiagWdtCountEnd(), the diagnostic will report an error. After calling this function, MW_IsDiagWdtCountOngoing will return true until MW_DiagWdtCountEnd() is called.

Note
The WDT runs on the internal OSC32K clock source, which is significantly slower than the typical main clock frequency. Since it counts asynchronously to the main clock, it takes up to 4 WDT clock cycles for the readable counter register to update to a new value. For this reason, begin and end diagnostic APIs are provided to avoid busy-waiting for the count to update.
Warning
It is the responsibility of the calling function to ensure sufficient time separation of at least 4 WDT clock cycles between starting and completing the diagnostic. It is recommended to account for clock source frequency variations.

Definition at line 124 of file midware_watchdog_manager_diag.c.

◆ MW_DiagWdtCountEnd()

errFlag_t MW_DiagWdtCountEnd ( void )

Completes diagnostic to detect faults in the Watchdog Timer (WDT) Counter mechanism.

This function reads and stores the current counter register value of the WDT and compares it to the previous sample stored when calling MW_DiagWdtCountBegin. If the two samples are identical, it indicates that the WDT counter is stuck and the diagnostic returns an error. If the diagnostic was not started by calling MW_DiagWdtCountBegin, the diagnostic will automatically fail. It is recommended to call MW_IsDiagWdtCountOngoing to check this before calling this function.

Note
The WDT runs on the internal OSC32K clock source, which is significantly slower than the typical main clock frequency. Since it counts asynchronously to the main clock, it takes up to 4 WDT clock cycles for the readable counter register to update to a new value. For this reason, begin and end diagnostic APIs are provided to avoid busy-waiting for the count to update.
Warning
It is the responsibility of the calling function to ensure sufficient time separation of at least 4 WDT clock cycles between starting and completing the diagnostic. It is recommended to account for clock source frequency variations.
Note
Global interrupts are disabled during the diagnostic, and restored before returning the result.
Return values
ERRORWDT Counter is stuck or diagnostic was not started.
NO_ERRORWDT Counter is not stuck.

Definition at line 141 of file midware_watchdog_manager_diag.c.

◆ MW_DiagWdtExpire()

errFlag_t MW_DiagWdtExpire ( void )

Performs error injection diagnostic to detect faults in the Watchdog Timer (WDT) Expire mechanism.

This function performs a diagnostic of the WDT Expire reset mechanism by setting the watchdog timeout period to the lowest possible value and waiting for it to expire and reset the device. If the WDT expire reset was not successful, an error is returned.

Warning
The diagnostics assumes that the WDT is not enabled (either through fuses or otherwise) when called, and will enable the WDT during execution. If already enabled, a false ERROR may be reported.
After a successful diagnosis, the device is reset. It is the responsibility of the calling function to determine the result of the diagnostic by reading the WDRF flag in the reset controller and the CAUSE bit in the WDT STATUS register.
This diagnostic reads the WDT counter register to determine if the count has reached the configured expire threshold of 8 WDT Clock cycles before returning. Should the counter register be stuck, the diagnostic will never return. For this reason, it is recommended that the Synchronous Watchdog Timer (SWDT) is enabled during execution, which should expire in this scenario and ultimately reset the device through the Error Controller (ERRCTRL).
Return values
ERRORFault detected in the WDT expire mechanism.

Definition at line 167 of file midware_watchdog_manager_diag.c.

◆ MW_EnableSwdt()

void MW_EnableSwdt ( bool useCcp,
bool useLock,
bool useInstrMode )

Enables the Synchronous Watchdog Timer with the provided configurations.

Warning
MW_SetSwdtResetValue and MW_SetSwdtWindowValue must be called to set the Reset and Window values before enabling the Synchronous Watchdog to ensure correct operation.
Note
Once the SWDT is enabled, it can only be disabled by a device reset.
Parameters
useCcpEnable Configuration Change Protection for all SWDT registers
useLockEnable locking of certain SWDT registers, preventing modification of the Reset and Window values, performing error injection and enabling/disabling error interrupts.
useInstrModeEnable counting executed CPU instructions instead of number of main clock cycles.

Definition at line 173 of file midware_watchdog_manager.c.

◆ MW_EnableSwdtInterrupts()

void MW_EnableSwdtInterrupts ( void )

Enables all Synchronous Watchdog error interrupts.

Warning
This function has no effect if the SWDT register lock feature is enabled.

Definition at line 168 of file midware_watchdog_manager.c.

◆ MW_GetSwdtClearError()

errFlag_t MW_GetSwdtClearError ( void )

Reads the error flag indicating a non-clear command received while expecting a clear command in the Synchronous Watchdog.

Note
The flag is cleared by calling MW_ClearSwdtErrors.
Return values
ERRORBad clear error flag is set.
NO_ERRORBad clear error flag is not set.

Definition at line 59 of file midware_watchdog_manager.c.

◆ MW_GetSwdtCounterExpiredError()

errFlag_t MW_GetSwdtCounterExpiredError ( void )

Reads the error flag indicating that the Synchronous Watchdog counter expired.

Note
The flag is cleared by calling MW_ClearSwdtErrors.
Return values
ERRORCounter expired error flag is set.
NO_ERRORCounter expired error flag is not set.

Definition at line 89 of file midware_watchdog_manager.c.

◆ MW_GetSwdtPreclearError()

errFlag_t MW_GetSwdtPreclearError ( void )

Reads the error flag indicating a non-preclear command received while expecting a preclear command in the Synchronous Watchdog.

Note
The flag is cleared by calling MW_ClearSwdtErrors.
Return values
ERRORBad preclear error flag is set.
NO_ERRORBad preclear error flag is not set.

Definition at line 44 of file midware_watchdog_manager.c.

◆ MW_GetSwdtUnexpectedCmdError()

errFlag_t MW_GetSwdtUnexpectedCmdError ( void )

Reads the error flag indicating a clear command received in the closed window after a preclear command in the Synchronous Watchdog.

Note
The flag is cleared by calling MW_ClearSwdtErrors.
Return values
ERRORUnexpected command error flag is set.
NO_ERRORUnexpected command flag is not set.

Definition at line 74 of file midware_watchdog_manager.c.

◆ MW_IsDiagWdtCountOngoing()

bool MW_IsDiagWdtCountOngoing ( void )

Checks whether the Watchdog Timer (WDT) Count diagnostic is ongoing.

This function returns true if MW_DiagWdtCountBegin was called and MW_DiagWdtCountEnd has not yet been called, and false otherwise. It does not check whether sufficiently long time has passed to complete the diagnostic, just that it has been started.

Return values
trueWDT Count diagnostic is ongoing.
falseWDT Count diagnostic is not ongoing.

Definition at line 136 of file midware_watchdog_manager_diag.c.

◆ MW_PreClearSwdt()

void MW_PreClearSwdt ( void )

Sends a PRECLEAR command to the Synchronous Watchdog.

Note
A PRECLEAR command must be sent before a CLEAR command to avoid a bad preclear error to be reported.
Warning
It is assumed that the preclear can be received, as indicated by the PRECLEAR bit in the INTFLAGS register. Otherwise, a hardware error is reported.

Definition at line 110 of file midware_watchdog_manager.c.

◆ MW_SetSwdtResetValue()

errFlag_t MW_SetSwdtResetValue ( uint32_t resetVal)

Sets the Synchronous Watchdog Timer countdown reset value.

This function sets the 24-bit reset value that is loaded into the countdown register after each SWDT clear.

Note
The watchdog can only be cleared in the open window, see MW_SetSwdtWindowValue.
Parameters
resetValThe 24-bit reset value to be set.
Return values
ERRORProvided reset value larger than 24-bit or zero, reset value not set.
NO_ERRORProvided reset value successfully set.

Definition at line 135 of file midware_watchdog_manager.c.

◆ MW_SetSwdtWindowValue()

errFlag_t MW_SetSwdtWindowValue ( uint16_t window)

Sets the Synchronous Watchdog Timer open window value.

This function sets the 16-bit open window value for the SWDT. The value represents the maximum countdown register value where a clear command can be received. The SWDT is in the closed window when the countdown register value is higher than the window value and in the open window when below. The countdown register starts counting from the set reset value, see MW_SetSwdtResetValue.

Parameters
windowThe 16-bit open window value to be set.
Return values
ERRORProvided window value is set to 0, window value not set.
NO_ERRORProvided window value successfully set.

Definition at line 155 of file midware_watchdog_manager.c.

◆ MW_SetWdtTimeout()

errFlag_t MW_SetWdtTimeout ( wdtTimeout_t window,
wdtTimeout_t period )

Configures and enables the Watchdog Timer in either Normal or Window mode.

This function enables the WDT by setting the provided window and period value. If already enabled, the new values are used after the next WDT clear. The provided values determine whether to use Normal mode (where it can be cleared anytime before it expires) or Window mode (where it can only be cleared inside the open window). In Window mode, the window and period value is combined to get the total timeout duration.

Note
Once the WDT is enabled, it can only be disabled by a device reset.
Warning
If enabled, window mode is only activated after the first WDR instruction is issued (see MW_ClearWdt).
If the register lock feature is used, this function will have no effect. Setting the period and window values through user fuses will automatically enable the register lock feature.
Parameters
windowClosed window duration in windowed mode, set to WDT_TIMEOUT_OFF to disable windowed mode.
periodOpen window duration in Windowed mode. Total duration / timeout in Normal mode.
Return values
ERRORProvided window or period value invalid, window and period not set.
NO_ERRORProvided window or period value set (assumes register lock is disabled).

Definition at line 201 of file midware_watchdog_manager.c.